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Abstract 

We consider quantum interpolation of polynomials. We imagine a quantum com- 
puter with black-box access to input/output pairs where / is a degree-d 
polynomial, and we wish to compute /(O). We give asymptotically tight quantum 
lower bounds for this problem, even in the case where is among the possible values 

of Xj. 



1 Introduction 

Can a quantum computer efficiently interpolate polynomials? Can it distinguish low-degree 
from high-degree polynomials? We consider black-box algorithms that seek to learn infor- 
mation about a polynomial / from input/output pairs {xi, f{xi)). We define a more general 
class of ((i, S) -independent function properties, where, outside of a set S of exceptions, know- 
ing d input values does not help one predict the answer. There are essentially two strategies 
to computing such a function: query d+1 random input values, or search for one of the \S\ 
exceptions. We show that, up to constant factors, we cannot beat these two approaches. 

Let J-" be a collection of functions from some domain D to some range R. A property 
is a (nontrivial) map P: J-" — > {0, 1}. We say that V is (rf, S) -independent for some subset 
5 C D if, for any zi, . . ., G D with Zi, . . ., Zr E S and Zr+i, . . ., z^ ^ S (where 
r = \{zi} n 5*1), the {d — r)-tuple of values (/(^r+i), • • • , f{^d)) is independent of the (r -f 1)- 
tuple {f{zi),...,f{zr),V{f)). We say that V is d-independent if it is (c?, 0)-independent. 
(For simplicity, we consider independence with respect to the uniform distribution on J-'.) 

For example, let J-" be the set of degree-rf polynomials from some finite field K to itself. Let 
R = K, and let D be some subset of K. We could define V{f) to be one bit of information 
about a particular function value f{z). U z ^ D, then this property is (i-independent; 
knowing any d values of a degree-d polynomial yields no information about any other value. 
If z E D, then V is {d, {2r})-independent. Alternatively, we could define V{f) to be one bit 
of information about a (nonconstant) coefficient of /; this is also ^-independent. 
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We analyze quantum algorithms that compute such a V based on black-box access to the 
function /. We consider two models: 



• In the chosen-input model, we give our oracle x E D and it returns f{x). (More 
precisely, the oracle transformation maps 6, c) to |x, 6 + /(x), c), where + is some 
appropriate reversible notion of addition.) 

• In the random-input model, there is some map X from {1, onto D. We give our 
oracle i and it returns the pair where Y[i) = f{X{i)). This oracle is our 
only access to the map X. 

The random-input model may seem unusual. It is a natural extension of Valiant's PAC 
learning model |Val84] to the quantum setting, although it differs slightly from the quantum 
PAC model introduced by Bshouty and Jackson |BJ99j . For technical reasons, we con- 
sider distributions on maps X with the same image D. We say that such a distribution is 
permutation-independent if, for any permutation a on D, the maps X and a o X have the 
same probability. 

We prove a result for each model. We say that the bias of an algorithm is its edge over 
random guessing; that is, on any input /, the algorithm outputs V{f) with probability at 



Theorem 1. Let V be a d-independent property of a family of functions T . Let A be 
a quantum query algorithm, in the chosen-input model, which, for any f E T , correctly 
computes V{f) with positive bias. Then the number of queries made by A is at least {d-\-l)/2. 

Theorem 2. Let V be a {d, S) -independent property of a family of functions J-" with a 
domain of size n. Let A be a permutation-independent distribution of random maps. Let A 
be a quantum query algorithm, in the random-input model, which, for any f E T , and with 
X ~ A, computes V{f) with bias at least e. Then the number of queries made by A is at 
least 



where Ce is a constant depending on e. 

To return to our first example, suppose T is the set of degree-c? polynomials, and V{f) 
is one bit of information about f{z) for some z ^ D. One strategy is to make d + 1 queries 
to compute d + 1 different values of f{X{i)), interpolate the polynomial, and read off f{z). 
The above theorems show that, for either query model, this approach is within a factor of 2 
of being optimal. 

What if, instead, z G -D? In the chosen- input model, computing f{z) is no longer 
interesting; we can perform a single query. In the random-input model, we could still query 
d -\- 1 points and interpolate, or we could use Grover search |Gro96j to find the value of i 
with X{i) = z, at which point one additional query gives the answer. [Theorem 21 says that 
one of these two strategies must be optimal, up to a constant factor. 



least ^ + e. 
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We survey lower bound methods in [Section 21 focusing on the approach we will use: the 
polynomial method IBBC"*"] . We then prove the two above theorems in [Section 31 and give 
some final thoughts in [Section 41 

2 Lower Bound Methods 

There are several standard techniques for proving quantum query lower bounds. One ap- 
proach is to use information theory. For example, suppose our goal were not to compute 
f{z) at a single point, but to produce a complete description of the degree-rf polynomial /. 
This requires specifying d + 1 coefficients, each an element of K. But each query gives us, 
information-theoretically, at most two elements of K. By an interactive version of Holevo's 
Theorem |CvDNT99t Theorem 2], we require at least {d + l)/4 queries. However, this ap- 
proach does not apply to computing a single value f{z). 

A second approach is to use the "adversary" method of Ambainis |Amb02] . The basic 
idea, in our setting, would be to find a collection of functions g E J-' with V{g) = 0, and 
another collection of /i G J-" with V{h) = 1, where each g is "close to" many h, in the sense 
that they agree on almost all inputs. However, any two distinct polynomials disagree on 



almost all inputs. H0yer, Lee, and Spalek |HLS07] . after noting that Ambainis's original 



method cannot prove a non-constant lower bound when 0-inputs and 1-inputs disagree on a 
constant fraction of the inputs, propose a variant with "negative weights" that, in theory, 
does not run up against this barrier. In practice, even this generalized adversary method 
has not yet yielded a nonconstant lower bound for such a problem. 

We will apply the polynomial method [BBC^j . For the chosen-input model, let 6x,y be 
the function of / that is 1 when f{x) = y and otherwise. Then the quantum query maps 

\x, 6, c) f-^ ^ \x, b + y,c) . 
y 

So, if we start in some fixed state, after a single query each amplitude is an affine expression 
in the values 6x^y. After T queries, each amplitude is a polynomial in {S^^y} of degree at most 
T. We now measure the state and output some bit; the probability that this bit is 1 is thus 
a polynomial of degree at most 2T. This polynomial p satisfies the following properties: 

• If 6x,y encodes any function from D to R (that is, each 6x,y G {0, 1} and '^y^^Sx^y = 1 
for all x), then < p{{Sx,y}) < 1. 

• If 6x^y encodes some f E J^, then \p{{Sx,y}) — < |- 

A lower bound on the degree of such a polynomial thus gives a lower bound on the number 
of quantum queries. 

For the random-input model, the same idea applies; the variable Si^x,y is 1 when X{i) = x 
and f{x) = y and otherwise, and 



\i, a, 6, c) H-> ^ Si^x,y \i,a + x,b + y, c) . 



x>y 
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The polynomial p in this setting satisfies the properties: 

• If Si^x,y encodes any functions X from indices to D and Y from indices to R (that is, 
each 6i^x^y e {0, 1} and Y.x,y^i,x,y = 1 for all i), then < p{{Si^x,y}) < 1- 

• If 6i^x,y encodes X and / o X for some f ^ T ^ then \v{{_^i,x,y\) — < | — e- 

In early uses of the polynomial method [BBC"*"] , one step in a typical application was to 
symmetrize down to a polynomial in one variable. This works well for total functions, but not 
for promise problems. (Here, the promise is that / represent some function.) The method 
has been adapted to a similar setting for proving a lower bound for the element distinctness 
problem |AS04t[Kut05j : in this case, symmetrizing separately on the domain and range yields 
a function of two variables. We will use a similar approach to tackle interpolation. 

Remark. There are different ways to prove lower bounds on the degree of a polynomial 
computing a function. For example, a referee for an early version of this paper noted that 
[Theorem II above can be proved using a general resu 110 of Buhrman, et al. |BVdW07j . We 
give a direct proof whose main idea generalizes to the random-input problem. 



3 Proofs 



We now prove our main results. We begin with the chosen-input model. 

Proof of \Theorem 1\ Let A be an algorithm computing the ci-independent property V with 
nonzero bias. Suppose that A makes fewer than {d + l)/2 queries. As discussed in [Section 2\ 
we write the probability that A outputs 1 as a polynomial p(/), by which we mean a poly- 
nomial in the variables {5x,y}, of degree at most d. When / G P^^(O), then < p{f) < |; 
when / e P~^(l), then \ < p{f) < 1. 

Write p as a sum of monomials Y2k Each monomial has the form 



t 

rrik = Y[5x^,y, 



for some t < d. Hence, each ruk depends on at most d values of /. By the definition of 
(i-independence, the expected value of over P-^(O) is the same as it is over V ^(1). This 
is true for all k, so 

l< E b(/)]= E [p{f)]<l. 

This is impossible. We conclude that no such algorithm exists; that is, any algorithm 
computing V requires at least {d\ l)/2 queries. □ 



^See the discussion following their Lemma 3 |B VdWOT) . 
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The proof of lTheorem 21 is more involved. We will first show that, assuming an algorithm 
makes fewer than {d+l)/2 queries, the actual values of f{x) do not matter unless x is in the 
special set S. This first part of the argument uses the same logic as the proof of lTheorem 1[ 

Intuitively, if the values f{x) matter only for x G S', the simplest possible case would 
be one where any such value of /(x) immediately yields the answer V{f). This is Grover 
search, with a known lower bound of n/\S\). The second part of the proof of lTheorem 21 
represents one approach to formalizing this intuition. 

Proof of \Theorem M Let A be an algorithm computing the {d, 5')-independent property V 
with bias at least e. Suppose that A makes fewer than {d + l)/2 queries. As discussed in 
ISection 2| we write the probability that A outputs 1 as a polynomial p{X, Y), by which we 
mean a polynomial in the variables {Si^x,y}, of degree at most d. For any i and any x ^ S, 
we introduce the variables C,i,x (which is 1 when X{i) = x and otherwise) and Vi^y (which is 
1 when Y{i) = y and otherwise), and we write Si^x,y = ^i,x'^i,y For all X: {1, . . . , n} — t- D 
and Y : {1, . . . , n} — )■ -R, we have < p(X, Y) < 1; we will use this generality. When / G J-", 
wehave|p(X,/oX)-P(/)|<i-e. 

Write p as a sum of monomials ^^^fc- Each monomial has the form 

r t 
j=l j=r+l 

for some r < t < d with Xj E S for j < r and Xj ^ S for j > r, and with all ij distinct. 
By the definition of ^-independence, once we condition on X{ij) = xj for 1 < j < the 
expected value of nj=r+i ^'^^^ / ^ ^'iid X ~ A is independent of V{f) and of the 
values 5i^^xj,yj for j < r. Hence, we can replace this product with its expected value over / 
and X, yielding a new polynomial q using only the variables 6i^x,y (for x G S) and ^i^x (for 
X ^ S). The polynomial q satisfies the original conditions: < q{X,Y) < 1 for any X,Y, 
and \q{X, f o X) — V{f)\ < | — e when f E J^. Furthermore, degg < degp. 

If S" = 0, then q depends only on X but not /, which is impossible. In this case, A 
must have made at least {d + l)/2 queries. For the remainder of the proof we assume S is 
nonempty. 

We now apply g to a particular set of instances. Let k = \S\, write 5* = {zi, . . . , Zk}, 
and write D \ S = {zk+i, . . . , z„}. We will permute these values in blocks. Let B = [n/k\ . 
For any function vr from {0, . . . , B — 1} to {0, . . . , B — 1} we get an arrangement given by 
X{i + kj) = Zij^k^^j) for 1 < z < and < j < 5. (We write X{i) = Zi for i > Bk.) When 
vr is a permutation, the list {X{i)} covers all of D. 

Now, choose some g,h E J-" with V{g) = and 'P(/i) = 1. We let Y{i + kj) (where 
1 < i < k) he g{zi) when j is even and h{zi) when j is odd. Fixing these values, any function 
vr gives us values of 5i^x,y (for x E S) and ^i^^ (for x ^ S). We let qin) denote the result of 
applying the polynomial q to these values. It is clear that we can rewrite each -j, or 5i^x,y 
as or as some rjij, which is defined to be 1 if TT{i) = j and otherwise. Hence, q{n) is a 
polynomial in {f]ij}- 
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For any function vr, we must have < qi^n) < 1. For a permutation vr with vr~^(0) 
even, we have q{ii) = q{X,g o X) < ^ — e. For a permutation vr with 7r~^(0) odd, we 
have g(7r) = q{X, h o X) > | + e. We have reduced to the standard problem of permutation 
inversion; as first shown by Ambainis |Amb02] , we know that any such polynomial has degree 

For concreteness, we finish the proof using symmetrization. First, we symmetrize q with 
respect to any rearrangement of the values 1, . . . , B — 1 in the range of vr. This reduces us 
to variables {r]i} where rji = 1 when = and otherwise. Next, we symmetrize with 
respect to any rearrangement of even i and any rearrangement of odd i. We are left with 
a polynomial q{a,(3) in two variables: a counts the number of even i with 7i{i) = 0, and /3 
counts the number of odd i with 7r(i) = 0. 

Note that < q{a, (3) < 1 for any < a < \B/2] and any < /5 < [B/2\. Furthermore, 
^'(l, 0) < I — e and g(0, 1) > | + e. We break into two cases depending on whether g(0, 0) 
is at least ^ or at most |. In either case, we get a polynomial q in one variable with 
< q{i) < 1 for i = 0, . . . , [B/2\ and with a constant gap between g(0) and By 
a lemma of Paturi |Pat92j (see also [BBC"*"! INS94] ). we conclude that degg = il{\/B) as 
desired. By construction, degg < degg < degp. □ 

4 Conclusions 

We have proven a lower bound of {d + l)/2 for polynomial interpolation (to find f{z) when 
z is not in the domain of queries). The usual classical algorithm, of course, requires d + 1 
queries. We suspect that a quantum algorithm should also require d + 1 queries, but we do 
not have a proof. 

It is worth noting that, in the generality in which it is stated, [Theorem H is tight. Let J-" 
be the set of all functions from some domain to {0, 1}, and let V{f) be the parity 0^g[; f{x) 
of some collection of input places with \U\ = d + 1. This is a (i-independent property; 
any set of d values, even if they all lie in U, are independent of the final answer. In this 
case, the standard Deutsch-Josza algorithm |DJ92] computes the parity with {d + l)/2 
queries. [Theorem II can be viewed as an extension of the parity lower bound of Farhi, et 
al. |FGGS98] . Hence, any stronger lower bound for polynomial interpolation would require 
using some additional structure of the problem. 

The authors' original proof of [Theorem II did not use the polynomial method. Instead, 
following the same general lines as Ambainis's proof of the adversary lower bound |Amb02] . 
we kept track of density matrices. If, after some number of queries, we cannot distinguish 0- 
inputs from 1-inputs even given m additional classical queries, then after one more quantum 
query we cannot distinguish 0-inputs from 1-inputs given m — 2 additional queries. The 
initial value of m is d, so if we make fewer than {d + l)/2 queries the final value is at least 
0, meaning that we cannot gain any information about the answer. 

The authors moved away from this proof, both because it was harder to formalize and 
because it did not adapt as well to ITheorem 21 However, it may be that combining this 
original idea with the adversary method could lead to even stronger bounds on similar 



6 



problems. 
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